Hello, the error in the previous script that I've sent, was caused by the encoding of my mail client. === Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals – can only result in one thing…… better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008
----- Messaggio originale ----- Da: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> A: [email protected] Inviato: Martedì 2 settembre 2008, 16:35:58 Oggetto: Openvas-plugins Digest, Vol 10, Issue 2 Send Openvas-plugins mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Openvas-plugins digest..." Today's Topics: 1. Re: [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) (Tim Brown) 2. Re: [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) (Christian Eric EDJENGUELE) 3. MS00-06 NVT (Christian Eric EDJENGUELE) 4. Re: MS00-06 NVT (Vlatko Kosturjak) 5. Filemaker Pro NVT (Christian Eric EDJENGUELE) ---------------------------------------------------------------------- Message: 1 Date: Tue, 2 Sep 2008 13:01:08 +0100 From: Tim Brown <[EMAIL PROTECTED]> Subject: Re: [Openvas-plugins] [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) To: [email protected] Cc: Christian Eric EDJENGUELE <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="utf-8" On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this. Either the >< operator or stridx can be used for this purpose. For example: if (response >< Win32) { ... } or: if (stridx(response, "Win32)) >= 0) { ... } Cheers, Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> ------------------------------ Message: 2 Date: Tue, 2 Sep 2008 12:25:33 +0000 (GMT) From: Christian Eric EDJENGUELE <[EMAIL PROTECTED]> Subject: Re: [Openvas-plugins] [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) To: Tim Brown <[EMAIL PROTECTED]>, [email protected] Cc: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=utf-8 yes, I have made exactly in that way. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ----- Messaggio originale ----- Da: Tim Brown <[EMAIL PROTECTED]> A: [email protected] Cc: Christian Eric EDJENGUELE <[EMAIL PROTECTED]>; [EMAIL PROTECTED] Inviato: Marted? 2 settembre 2008, 14:01:08 Oggetto: Re: [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this.? Either the >< operator or stridx can be used for this purpose.? For example: if (response >< Win32) { ??? ... } or: if (stridx(response, "Win32)) >= 0) { ??? ... } Cheers, Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ Message: 3 Date: Tue, 2 Sep 2008 12:59:05 +0000 (GMT) From: Christian Eric EDJENGUELE <[EMAIL PROTECTED]> Subject: [Openvas-plugins] MS00-06 NVT To: openvas-plugins <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=utf-8 Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and EMC Legato information gathering modules. Note that the script_id is missing. # OpenVAS Vulnerability Test # $Id$ # Description: # This program test for the following vulnerabilities: # Microsoft Index Server File Information and Path Disclosure Vulnerability (MS00-006) # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal Vulnerability (MS00-006) # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) # # Author: # Christian Eric Edjenguele <[EMAIL PROTECTED]> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # ? ?if(description) { script_id(00000); script_bugtraq_id(950); script_xref(name: "Microsoft", value: "MS00-006"); script_cve_id("CVE-2000-0097"); name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; script_name(english:name["english"]); ? ?desc["english"] = " The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability.? Solution : To Fix that, you must download the latest upodates from microsoft security website: http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. Risk factor : Medium"; script_description(english:desc["english"]); ? summary["english"] = "A vulnerability on Microsoft index server allows unauthorized predictable file location"; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes"); script_require_ports("Services/www", 80); ?exit(0); } # # The script code starts here # include("http_func.inc"); port = get_http_port(default:80); # Asp files the plugin will test pages? = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') # open http connection to the remote host soc = http_open_soc(port); if (!soc) return(1); # Build the malicious request ?foreach asp_files (pages) { ? ?req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + '%20&CiRestriction=none&CiHiliteType=Full')); ?send(socket:soc, data: req); ? # Get back the response reply_code = recv_line(socket:soc, length:1204); if(reply_code) { reply_header = recv_headers2(socket:soc); reply_headers = strcat(reply_code, reply_header); reply_body = http_recv_body(socket:soc, headers: reply_headers); reply_bodylowerized = reply_body.lower(); } # clode http connection http_close_socket(soc); # check the reply for vulnerability if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('<html>') >< reply_bodylowerized) security_hole(port); ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ Message: 4 Date: Tue, 02 Sep 2008 15:59:57 +0200 From: Vlatko Kosturjak <[EMAIL PROTECTED]> Subject: Re: [Openvas-plugins] MS00-06 NVT To: openvas-plugins <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="utf-8" Hello! Thanks for the submission. But it seems your nasl script does not work (it has syntax errors!). Have you tested the script? I made few fixes to your script, but I stopped fixing it because there is lot more errors. here's the latest one: openvas-nasl -X remote-ms00-06-kost.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [17659]() Unknown escape sequence \/ [17659]() Unknown escape sequence \/ syntax error, unexpected '.', expecting ';' Parse error at or near line 84 Please, test your script at least with "openvas-nasl -X" Christian Eric EDJENGUELE wrote: > Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and > EMC Legato information gathering modules. Note that the script_id is missing. > > # OpenVAS Vulnerability Test > # $Id$ > # Description: > # This program test for the following vulnerabilities: > # Microsoft Index Server File Information and Path Disclosure Vulnerability > (MS00-006) > # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal > Vulnerability (MS00-006) > # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) > # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) > # > # Author: > # Christian Eric Edjenguele <[EMAIL PROTECTED]> > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License version 2 and later, > # as published by the Free Software Foundation > # > # This program is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > # GNU General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. > # > > > if(description) > { > script_id(00000); > script_bugtraq_id(950); > script_xref(name: "Microsoft", value: "MS00-006"); > script_cve_id("CVE-2000-0097"); > name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; > script_name(english:name["english"]); > > desc["english"] = " > The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to > read arbitrary files, > aka the "Malformed Hit-Highlighting Argument" vulnerability. > > Solution : > To Fix that, you must download the latest upodates from microsoft security > website: > http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. > Risk factor : Medium"; > script_description(english:desc["english"]); > > summary["english"] = "A vulnerability on Microsoft index server allows > unauthorized predictable file location"; > script_summary(english:summary["english"]); > > script_category(ACT_GATHER_INFO); > > script_copyright(english:"This script is under GPL v2 +"); > family["english"] = "General"; > script_family(english:family["english"]); > script_dependencie("find_service.nes"); > script_require_ports("Services/www", 80); > > exit(0); > } > # > # The script code starts here > # > include("http_func.inc"); > port = get_http_port(default:80); > # Asp files the plugin will test > pages = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') > # open http connection to the remote host > soc = http_open_soc(port); > if (!soc) return(1); > # Build the malicious request > foreach asp_files (pages) > { > > req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + >'%20&CiRestriction=none&CiHiliteType=Full')); > send(socket:soc, data: req); > > # Get back the response > reply_code = recv_line(socket:soc, length:1204); > if(reply_code) > { > reply_header = recv_headers2(socket:soc); > reply_headers = strcat(reply_code, reply_header); > reply_body = http_recv_body(socket:soc, headers: reply_headers); > reply_bodylowerized = reply_body.lower(); > } > # clode http connection > http_close_socket(soc); > # check the reply for vulnerability > if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('<html>') > >< reply_bodylowerized) > security_hole(port); > === > Christian Eric Edjenguele > IT Security Software Developer & Researcher > tel. +39 3408580513 > View my linkedin profile: http://www.linkedin.com/in/edjenguele > My blog: http://www.edjenguele.blogspot.com > --- > Management, Developers, Security Professionals ? can only result in one > thing?? better security. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept > 22nd-25th 2008 > > __________________________________________________ > Do You Yahoo!? > Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto > spazio gratuito per i tuoi file e i messaggi > http://mail.yahoo.it > _______________________________________________ > Openvas-plugins mailing list > [email protected] > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: remote-ms00-06-kost.nasl Url: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080902/252d9237/remote-ms00-06-kost.pot ------------------------------ Message: 5 Date: Tue, 2 Sep 2008 14:35:44 +0000 (GMT) From: Christian Eric EDJENGUELE <[EMAIL PROTECTED]> Subject: [Openvas-plugins] Filemaker Pro NVT To: openvas-plugins <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=utf-8 # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele <[EMAIL PROTECTED]> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "FileMaker service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Filemaker database server.? Solution : You should Allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "FileMaker Pro is a cross-platform relational database application from FileMaker Inc. (a subsidiary of Apple Inc.), has compatible versions for both the Mac OS X and Microsoft Windows operating systems "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # default port for Filemaker port = 5003 filemaker_auth_packet =??? '\x47\x49\x4f\x50\x01\x02\x01\x00\x14\x01\x00\x00\x04\x00\x00\x00'; filemaker_auth_packet +=? '\x03\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\xff\x6f\x6d\x6e'; filemaker_auth_packet +=? '\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f\x41\x00\x46\x4d'; filemaker_auth_packet +=? '\x52\x50\x4f\x00\x08\x00\x00\x00\x43\x6f\x6e\x6e\x65\x63\x74\x00'; filemaker_auth_packet +=? '\x00\x00\x00\x00\x05\x00\x00\x00\x0c\x00\x00\x00\x49\x44\x4c\x3a'; filemaker_auth_packet +=? '\x52\x50\x4f\x3a\x31\x2e\x30\x00\x01\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x6c\x00\x00\x00\x01\x01\x02\x00\x0b\x00\x00\x00\x31\x30\x2e\x34'; filemaker_auth_packet +=? '\x2e\x31\x31\x2e\x39\x34\x00\x00\x8b\x13\x00\x00\x17\x00\x00\x00'; filemaker_auth_packet +=? '\xff\x6f\x6d\x6e\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f'; filemaker_auth_packet +=? '\x41\x00\x46\x4d\x52\x50\x4f\x00\x02\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x08\x00\x00\x00\x01\x00\x00\x00\x00\x54\x54\x41\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x1c\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x01\x00\x01\x05\x09\x01\x01\x00\x01\x00\x00\x00\x09\x01\x01\x00'; filemaker_auth_packet +=? '\x4c\x00\x00\x00\x01\x01\x08\x2d\x22\x2a\x3f\x34\x29\x2a\x68\x23'; filemaker_auth_packet +=? '\x69\x62\x0c\x6e\x6f\x0e\x17\x17\x63\x14\x14\x0e\x62\x6c\x6e\x63'; filemaker_auth_packet +=? '\x0c\x6d\x63\x6f\x69\x6f\x6d\x68\x0e\x10\x17\x0c\x17\x68\x02\x14'; filemaker_auth_packet +=? '\x11\x0e\x0e\x09\x0a\x28\x35\x7a\x62\x74\x6a\x2c\x6b\x11\x6a\x6a'; filemaker_auth_packet +=? '\x60\x6a\x39\x60\x68\x63\x60\x6f\x69\x60\x39\x6e\x60\x6c\x3b\x15'; # declare that Filemaker is not installed yet is_filemaker = 0; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { ? send(socket:soc, data: filemaker_auth_packet); reply = recv(socket:soc, length:136); # Check that Filemaker is not tcpwrapped. And that it's really Filemaker if(stridx(reply, "GIOP", 0)) is_filemaker = 1; } close(soc); } # # Report Filemaker installed #? if(is_filemaker == 1) { ? report = "This host seems to running the Filemaker database server"; ? security_note(port:port, data:report); } ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins End of Openvas-plugins Digest, Vol 10, Issue 2 ********************************************** __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
